Privacy Policy 100% Private
Last Updated: November 23, 2024
TL;DR: This extension does not collect, store, transmit, or share any of your personal data. Everything works 100% locally on your device. We have no servers, no analytics, and no tracking.
1. Introduction
TOTP Authenticator ("we", "our", or "the extension") is a privacy-focused Time-based One-Time Password (TOTP) authentication application. This Privacy Policy explains our commitment to protecting your privacy and describes how we handle (or more accurately, don't handle) your data.
2. Data Collection
2.1 What We Don't Collect
We do NOT collect any data whatsoever, including but not limited to:
- Personal information (name, email, phone number, etc.)
- TOTP secret keys or account information
- Usage statistics or analytics
- Browser history or browsing behavior
- Device information or identifiers
- IP addresses or location data
- Any form of telemetry or diagnostic data
2.2 What We Store Locally
The following data is stored ONLY on your local device using Chrome's local storage (chrome.storage.local):
- Your TOTP account information (account names, issuers, secret keys)
- Application settings (theme, language preferences)
- PIN code hash (if you enable PIN protection)
Important: This data never leaves your device. It is not synchronized, uploaded, or transmitted to any server.
3. How Your Data is Protected
3.1 Local-Only Storage
All your data is stored exclusively in Chrome's local storage on your device. This storage is:
- Isolated to this extension only
- Not accessible by websites or other extensions
- Not synchronized across devices (unless you manually export/import)
- Automatically cleared when you uninstall the extension
3.2 Optional Encryption
You can optionally enable PIN protection, which encrypts your TOTP secret keys using:
- AES-256-GCM encryption algorithm
- PBKDF2 key derivation (100,000 iterations)
- Your PIN code as the encryption key (never stored in plain text)
3.3 No Network Access
This extension does not request any network permissions and cannot:
- Connect to the internet
- Send data to remote servers
- Communicate with external services
- Track your online activity
4. Permissions Explanation
The extension requests the following Chrome permissions:
4.1 Required Permissions
- storage: Required to save your TOTP accounts and settings locally on your device. No data is uploaded to any server.
4.2 Optional Permissions
- clipboardWrite: Requested only when you click "Copy" to copy a verification code to your clipboard. This permission is requested at runtime and you can deny it if preferred.
4.3 Permissions We Do NOT Request
We deliberately do not request permissions for:
- Network access (no internet connection)
- Tab access (cannot see what websites you visit)
- Browsing history
- Cookies or website data
- Location services
5. Third-Party Services
We do not use any third-party services. There are no:
- Analytics services (no Google Analytics, no tracking)
- Advertising networks
- Cloud storage providers
- External APIs or services
- Crash reporting tools
6. QR Code Recognition
When you upload or paste a QR code image to add a new account:
- The image is processed entirely within your browser using the open-source jsQR library
- No image data is uploaded to any server
- The image is discarded immediately after parsing
- Only the extracted TOTP parameters are saved locally
7. Import/Export Functionality
The extension allows you to export and import your accounts:
- Export creates a local file (JSON or URI format) on your device
- You can optionally encrypt the export file with a password
- Export files are never uploaded anywhere
- Import reads files directly from your device
- You have full control over where export files are stored and who has access to them
Security Note: If you share an unencrypted export file, the recipient will have access to your TOTP secret keys. Always use password encryption when exporting sensitive data.
8. Open Source
This extension is open source, which means:
- You can review the entire source code to verify our privacy claims
- Security researchers can audit the code
- The community can contribute improvements
- There are no hidden features or backdoors
Source code repository: [Will be available on GitHub]
9. Data Retention and Deletion
9.1 How Long We Keep Your Data
Since all data is stored locally on your device, you have complete control over data retention:
- Data persists until you manually delete it or uninstall the extension
- We cannot access or delete your data remotely
9.2 How to Delete Your Data
You can delete your data at any time by:
- Using the "Clear All Data" option in Settings
- Deleting individual accounts
- Uninstalling the extension (removes all local storage)
10. Children's Privacy
This extension does not collect any data from anyone, including children under 13. Since we don't collect any personal information, we are compliant with the Children's Online Privacy Protection Act (COPPA).
11. International Users
This extension works entirely offline and locally. Your data never leaves your device, regardless of your geographic location. We do not transfer data across borders because we don't transfer data at all.
12. Changes to This Privacy Policy
If we make any changes to this Privacy Policy, we will:
- Update the "Last Updated" date at the top of this page
- Notify users through the extension's update notes
- Maintain our commitment to user privacy
We will never change this policy to allow data collection without your explicit consent.
13. Your Rights
Since we don't collect your data, traditional data privacy rights (access, rectification, deletion, portability) are inherently protected:
- Right to Access: All your data is accessible to you at all times in the extension
- Right to Rectification: You can edit any data directly in the extension
- Right to Deletion: You can delete any or all data at any time
- Right to Portability: You can export your data in standard formats (JSON, URI)
- Right to Object: Not applicable as we don't process your data for any purposes beyond what you explicitly request
14. Security Measures
We implement industry-standard security practices:
- All code follows secure coding guidelines
- Optional AES-256-GCM encryption for sensitive data
- No storage of passwords in plain text
- Regular security audits of the codebase
- Use of Chrome's secure storage APIs
- Input validation to prevent injection attacks
15. Compliance
This extension is designed to be compliant with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Children's Online Privacy Protection Act (COPPA)
- Chrome Web Store policies
Note: Compliance is simplified by the fact that we don't collect any data.
16. Cookies and Tracking Technologies
This extension does not use:
- Cookies
- Web beacons
- Tracking pixels
- Fingerprinting techniques
- Any other tracking technologies
18. Transparency Commitment
We believe in complete transparency:
- This Privacy Policy describes exactly how the extension works
- The source code is available for review
- We have no financial incentive to collect your data
- We will never sell, rent, or share your data because we don't have it
19. Summary
In Plain English:
TOTP Authenticator is completely private. It works 100% locally on your device, never connects to the internet, and doesn't collect any data about you. Your TOTP codes and account information stay on your device and are under your complete control. We can't see your data, we don't want your data, and our extension is designed from the ground up to protect your privacy.
© 2024 TOTP Authenticator. Licensed under MIT License.
Built with privacy in mind. No data collection, ever.